Android OS did not use the FLAG_SECURE flag for sensitive settings,
potentially exposing sensitive data to other applications on the same
device with the screen capture permissions. The vendor (Google) fixed
this issue in 2018-02-01 Pixel security update. Google has assigned
CVE-2017-13243 to track this issue.

DETAILS

Android OS is a mobile operating systems for phones and tablets
developed by Google. The OS has multiple screens where sensitive
information maybe shown such as the device lock screen, passwords in
the WiFi settings, pairing codes for Bluetooth, etc.

FLAG_SECURE is a special flag available to Android developers that
prevents a particular screen within an application from being seen by
other application with screen capture permissions, having screenshots
taken by the user, or have the screen captured in the ?Recent Apps?
portion of Android OS. We have published an extensive post last year
discussing this feature is and what it does:
https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-an
droid-applications-from-screen-capture/

During our testing of various Google mobile applications, we found
that the lock screen, password entry screen for WiFi, and the screen
for entering pairing codes for Bluetooth devices did not use
FLAG_SECURE to prevent other applications for capturing that
information. By contrast other Google applications like Android Pay
and Google Wallet use this flag to prevent capture of sensitive
information. Exploiting this bug requires user cooperation in
installing a malicious app and activating the actual screen capture
process, thus the likelihood of exploitation is low.

To reproduce:
1. Lock the device, OR go to WiFi settings and try to add a network,
or try to pair a Bluetooth device.
2. Press Power and volume down to capture screenshot.
3. Confirm that a screenshot can be taken.